Privacy & Information Security Law Blog

A recent decision by the U.S. Couple of Appeals for the Sixth Circuit granting the IRS access to certain EU personal data has created potential legal compliance implications for multinational organizations subject to the EU GDPR.

On August 14, 2025, the New York Department of Financial Services announced a settlement with dental insurance management services provider, Healthplex, following an investigation conducted in the wake of a 2021 data breach that revealed alleged violations of the NYDFS Cybersecurity Regulation.

On July 24, 2025, the California Privacy Protection Agency finalized CCPA regulations on automated decision-making technology, risk assessments and cybersecurity audits.

In April 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a HIPAA enforcement settlement with Comprehensive Neurology, PC, a New York-based neurology practice, in connection with a ransomware incident that compromised the electronic protected health information of approximately 6,800 individuals.

On April 23, 2025, the Department of Health and Human Services’ Office for Civil Rights announced a HIPAA enforcement action against a health care network following a phishing attack that exposed patients’ electronic protected health information, which resulted in a $600,000 monetary settlement and two-year corrective action plan.

The Department of Health and Human Services’ Office for Civil Rights recently announced two HIPAA enforcement actions involving failures to safeguard electronic protected health information in violation of the HIPAA Security Rule.

On April 8, 2025, the Department of Justice’s Final Rule restricting the bulk transfer of sensitive U.S. personal and government data to certain countries and persons of concern went into effect.

The Cyberspace Administration of China recently released requirements regarding data protection compliance audits, which will go into effect on May 1, 2025.